This is a great doc: Azure Private Link frequently asked questions (FAQ) | Microsoft Learn
What is the relationship between the following?
-
private endpoint
-
private link
-
service endpoint
-
A customer gets a "private endpoint" in their subnet - this is "a network interface that uses a private IP address from your virtual network"
-
Traffic that goes to this private endpoint is then routed over a "private link"
- at the other end of that private link is a different subnet owned by a different customer/subscription
From Azure virtual network service endpoints | Microsoft Learn
Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.
From Use private endpoints - Azure Storage | Microsoft Learn:
Private endpoints can be created in subnets that use Service Endpoints. Clients in a subnet can thus connect to one storage account using private endpoint, while using service endpoints to access others.
You don't create service endpoints; you enable them on a VNet:
$ az network vnet subnet update --resource-group glocktestrg \
--vnet-name gloclusterVNET \
--name gloclusterSubnet \
--service-endpoints Microsoft.Storage
For a private endpoint into storage though, you have to create a private endpoint which manifests as a nic (az network nic list):
az network private-endpoint create \
--connection-name glockconnection \
--name glockprivateendpoint \
--private-connection-resource-id '/subscriptions/XYZ/resourceGroups/glocktestrg/providers/Microsoft.Storage/storageAccounts/glockteststorage' \
-g glocktestrg \
--subnet glocksubnet \
--group-id XXX \
--vnet-name glockvnet
where XXX (the group id) can be one of anything listed in the output of:
az network private-link-resource list --id '/subscriptions/XYZ/resourceGroups/glocktestrg/providers/Microsoft.Storage/storageAccounts/glockteststorage'